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Status 

1)13 Responsive to communication(s) filed on 08 October 2007 . 
2a)E This action is FINAL. 2b)n This action is non-final. 

3) n Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 
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4) 13 Claim(s) 10.11.14-16 and 33-52 is/are pending in the application. 
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DETAILED ACTION 

1 . This is in response to the arguments filed on 8 October 2007. 

2. Claims 10, 11, 14-16 and 33-52 are pending in the application. 

3. Claims 10, 11, 14-16 and 33-52 have been rejected. 

4. Claims 1-9, 12, 13 and 17-32 have been cancelled. 

Response to Arguments 

5. Applicant's arguments filed 8 October 2007 have been fully considered but they are not 
persuasive. 

On page 4, the applicant argues that Bsaibes does not disclose "programmatically 
determining whether the first access control list is functionally equivalent to a second access 
control list by determining whether each of the first sub-entries in the first access control list is 
equivalent to or contained by one or more entries of multiple second access control entries in the 
second access control list". 

The examiner respectfiiUy disagrees. Referring first to node A, 700, in FIG. 6, 
comparing Tim's permissions at 706 with the corresponding permissions in FIG. 5, it will be 
noted that Tim permission is modified in FIG. 6 and the write permission (w) is deleted. 
Similarly, Catherine is modified and granted execute permission in node A of FIG. 6 whereas 
previously in node A (FIG. 5), she only had read and write permission. 
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Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

6. Claims 10, 11, 33-41 and 45-48 are rejected under 35 U.S.C. 102(b) as being anticipated 
by Bsaibes et al U.S. Patent No. 5,701,458. 

As to claim 10, Bsaibes et al a method as recited, wherein identifying first sub-entries in a 
first access control list comprises: 

identifying a dimensional range and a policy action for each entry in the 
first access control list [column 5 line 65 to column 9 line 9]; 

identifying all overlapping dimensional ranges in the first access control 
list, each overlapping dimensional range corresponding to where the dimensional 
ranges of entries in the first access control list overlap [column 5 line 65 to 
column 9 line 9]; 

identifying all non-overlapping dimensional ranges in the first access 
control list, each of the non-overlapping dimensional ranges corresponding to 
dimensional ranges of entries in the first access control list that do not overlap 
dimensional ranges of other entries in the first access control list [column 5 line 
65 to column 9 line 9]; 

identifying a policy action for each identified overlapping dimensional 
range in the first access control list [column 5 line 65 to column 9 line 9]; and 
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identifying a policy action for each identified non-overlapping 
dimensional range of the first access control list [column 5 line 65 to column 9 
line 9]. 

As to claims 11,41 and 49, Bsaibes et al discloses as recited, wherein identifying second 
sub-entries in a second access control list comprises: 

identifying a dimensional range and a policy action for each entry in the 
second access control list [column 5 line 65 to column 9 line 9]; 

identifying all overlapping dimensional ranges in the second access 
control list, each overlapping dimensional range corresponding to where the 
dimensional ranges of entries in the second access control list overlap [column 5 
line 65 to column 9 line 9]; 

identifying all non-overlapping dimensional ranges in the second access 
control list, each of the non-overlapping dimensional ranges corresponding to 
dimensional ranges of entries in the second access control list that do not overlap 
dimensional ranges of other entries in the second access control list [column 5 
line 65 to column 9 line 9]; 

identifying a policy action for each identified overlapping dimensional 
range of the second access control list [column 5 line 65 to column 9 line 9]; and 

identifying a policy action for each identified non-overlapping 
dimensional range of the second access control list [column 5 line 65 to column 9 
line 9]. 
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As to claim 33, Bsaibes et al discloses a method of comparing access control lists to 
configure a security policy on a network, the method comprising the computer-implemented 
steps of: 

identifying first sub-entries in a first access control list, wherein the first 
access control list comprises multiple first access control entries, and wherein the 
first sub-entries identified from the first access control list comprise (i) disjoint 
entries of the first entries or (ii) overlapping sections identified from the first 
entries or (iii) non-overlapping sections identified from the first entries [column 5 
line 65 to column 9 line 9]; and 

programmatically determining whether the first access control list is 
functionally equivalent to a second access control list by determining whether 
each of the first sub-entries in the first access control list is equivalent to or 
contained by one or more entries of multiple second access control entries the 
second access control list [column 5 line 65 to column 9 line 9]. 
As to claims 34, 38 and 46, Bsaibes et al discloses determining that the first access 
control list is functionally equivalent to the second access control list in response to a 
determination that each of the first sub-entries is equivalent to or contained by one or more 
entries of the second access control list [column 5 line 65 to column 9 line 9]. 
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As to claims 35, 39 and 47, Bsaibes et al discloses a method as recited, further 
comprising: 

identifying second sub-entries in the second access control list, wherein 
the second sub-entries identified from the second access control list comprise (i) 
disjoint entries of the second entries or (ii) overlapping sections identified from 
the second entries or (iii) non-overlapping sections identified from the second 
entries [column 6 line 18 to column 7 line 22]; and 

wherein determining whether each of the first sub-entry in the first access 
control list is equivalent to or contained by one or more entries of the second 
access control list includes determining whether the each of the first sub-entries in 
the first access control list is equivalent to or contained by one or more of the 
second sub-entries identified from the second control list [column 6 line 1 8 to 
column 7 line 22]. 

As to claim 36, Bsaibes et al discloses a computer readable medium for comparing access 
control lists to configure a security policy on a network, the computer readable medium carrying 
instructions for performing the steps of: 

identifying first sub-entries in a first access control list, wherein the first 
access control list comprises muhiple first access control entries, and wherein the 
first sub-entries identified from the first access control list comprise (i) disjoint 
entries of the first entries or (ii) overlapping sections identified from the first 
entries or (iii) non-overlapping sections identified from the first entries [column 5 
line 65 to column 9 line 9]; and 
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programmatically determining whether the first access control list is 
functionally equivalent to a second access control list by determining whether 
each of the first sub-entries in the first access control list is equivalent to or 
contained by one or more entries of multiple second access control entries in the 
second access control list [column 5 line 65 to column 9 line 9]. 
As to claim 37, Bsaibes et al discloses a policy server communicatively coupled to 
security devices in a network to configure a security policy on a network, the policy server 
comprising: 

a processor [column 5, lines 51-67]; 

a network interface that communicatively couples the processor to the 
network to receive flows of packets therefrom [column 5, lines 51-67]; 
a memory [column 5, lines 51-67]; and 

sequences of instructions in the memory which, when executed by the 
processor, cause the processor to carry out the steps of: 

identifying first sub-entries in a first access control list, wherein 
the first access control list comprises multiple first access control entries, 
and wherein the first sub-entries identified from the first access control list 
comprise (i) disjoint entries of the first entries or (ii) overlapping sections 
identified from the first entries or (iii) non-overlapping sections identified 
from the first entries [column 5 line 65 to column 9 line 9]; and 

programmatically determining whether the first access control list 
is functionally equivalent to a second access control list by determining 



Application/Control Number: Page 8 

10/044,019 

Art Unit: 2131 

whether each of the first sub-entries in the first access control list is 
equivalent to or contained by one or more entries of multiple second 
access control entries in the second access control list [column 5 line 65 to 
column 9 line 9]. 

As to claims 40 and 48, Bsaibes et al discloses a policy server as recited, wherein the 
instructions for performing identifying first sub-entries in a first access control list comprise: 

instructions for performing identifying a dimensional range and a policy 
action for each entry in the second access control list [column 6 line 1 8 to column 
7 line 22]; 

instructions for performing identifying all overlapping dimensional ranges 
in the second access control list, each overlapping dimensional range 
corresponding to where the dimensional ranges of entries in the second access 
control list overlap [column 6 line 18 to column 7 line 22]; 

instructions for performing identifying all non-overlapping dimensional 
ranges in the second access control list, each of the non-overlapping dimensional 
ranges corresponding to dimensional ranges of entries in the second access 
control list that do not overlap dimensional ranges of other entries in the second 
access control list [column 6 line 18 to column 7 line 22]; 

instructions for performing identifying a policy action for each identified 
overlapping dimensional range in the second access control list [column 6 line 1 8 
to column 7 line 22]; and 
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instructions for performing identifying a policy action for each identified 
non-overlapping dimensional range of the second access control list [column 6 
line 18 to column 7 line 22]. 
As to claim 45, Bsaibes et al discloses an apparatus for comparing access control lists to 
configure a security policy on a network, the apparatus comprising: 

means for identifying first sub-entries in a first access control list, wherein 
the first access control list comprises multiple first access control entries, and 
wherein the first sub-entries identified from the first access control list comprise 
(i) disjoint entries of the first entries or (ii) overlapping sections identified from 
the first entries or (iii) non-overlapping sections identified from the first entries 
[column 5 line 65 to column 9 line 9]; and 

means for programmatically determining whether the first access control 
list is functionally equivalent to a second access control list by determining 
whether each of the first sub-entries in the first access control list is equivalent to 
or contained by one or more entries of multiple second access control entries the 
second access control list [column 5 line 65 to column 9 line 9]. 
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Claim Rejections - 35 USC §103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 

such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

7. Claims 14, 42 and 50 are rejected under 35 U.S.C. 103(a) as being unpatentable over 

Bsaibes et al U.S. Patent No. 5,701,458 as applied to claims 33, 37 and 45 above, and 

further in view of Brawn et al U.S. Patent No. 7,020,718 B2. 

As to claims 14, 42 and 50, Bsaibes et al does not teach that identifying a dimensional range 
and a policy action for each entry in the first access control list includes identifying a source 
address range and a destination address range for communication packets specified by each of 
the entries in the first access control list. 

Brawn et al teaches identifying a source address range and a destination address range for 
communication packets specified by each of the entries in the first access control list [column 8 
line 41 to column 9 line 2]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Bsaibes et al so that a dimensional range and a 
policy action would have been identified for each entry in the first access control list that would 
have included identifying a source address range and a destination address range for 
communication packets specified by each of the entries in the first access control list. 
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It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Bsaibes et al by the teaching of Brawn et al because an 
advantage includes providing a discontiguous address plan that allows thousands of discrete, 
different sized, and seemingly irregularly spaced address ranges to be accessed and identified by 
a small number of address and mask combinations. Another advantage includes providing an 
enterprise having a large complex network with a discontiguous network address plan configured 
to optimize for route advertisement, ACL entries, firewall configurations, and multiple network 
policies [column 6, lines 27-35]. 

8. Claims 15, 43 and 51 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Bsaibes et al U.S. Patent No. 5,701,458 as applied to claims 33, 37 and 45 above, and 
further in view of Mate et al U.S. Patent No. 7,020,718 B2. 

As to claims 15, 43 and 51, Bsaibes et al does not teach that identifying a dimensional 
range and a policy action for each entry in the first access control list includes identifying a 
source port range and a destination port range for communication packets specified by each of 
the entries in the first access control list. 

Mate et al teaches identifying a source port range and a destination port range for 
communication packets specified by each of the entries in the first access control list [column 11, 
lines 4-19]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Bsaibes et al so that a dimensional range and a 
policy action would have been identified for each entry in the first access control list that would 



Application/Control Number: Page 12 

10/044,019 

Art Unit: 2131 

have included identifying a source port range and a destination port range for communication 
packets specified by each of the entries in the first access control list. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Bsaibes et al by the teaching of Mate et al because it 
provides a method and system having fast search capabilities for classifying a plurality of types 
of data traffic and route lookup [column 3, lines 14-16], 

9. Claims 16, 44 and 52 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Bsaibes et al U.S. Patent No. 5,701,458 as applied to claims 33, 37 and 45 above, and 
further in view of Banginwar U.S. Patent No. 7,020,718 B2. 

As to claims 16, 44 and 52, Bsaibes et al does not teach identifying a dimensional range 
and a policy action for each entry in the first access control list includes identifying a 
communication protocol for communication packets specified by each of the entries in the first 
access control list. 

Banginwar teaches identifying a communication protocol for communication packets 
specified by each of the entries in the first access control list [column 3, lines 1 8^46]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Bsaibes et al so that a dimensional range and a 
policy action would have been identified for each entry in the first access control list that would 
have included identifying a communication protocol for communication packets specified by 
each of the entries in the first access control list. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Bsaibes et al by the teaching of Banginwar because it 
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enables a policy manage to communicate with the many devices connected to it [column 3, lines 
47-54]. 

Conclusion 

10, THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS fi'om the mailing 
date of this final action. 

Any inquiry concerning this communication or earlier communications firorn the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessfiil, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or PubUc PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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